Subdomain Security Not Important? Think Again!

Looking collectively at our recent audit reports for several well-known UK enterprise retail websites (which we systematically carry out in advance of client/prospect meetings), one glaring observation stood out: subdomain protection is being largely ignored. In fact, for each retailer audited, approximately 1/3 of their website domains were unprotected. This came as a bit of a surprise. After all, companies with more subdomains have a larger “attack surface,” but when I point this out to the prospective security lead, there is often little appetite to address the problem. “There’s nothing valuable on them; they’re password protected – so why bother?”

Beware a hidden danger

Subdomain takeover, as it is more commonly known, is on the rise, but despite this, it is often inadequately catered for, and there are limited measures in place to mitigate it. There’s a simple reason for this. Resource and budget-stricken security departments are already stretched, so attention tends to focus on securing primary domains. Finding vulnerable domains within a system is not a straightforward task, but subdomain security is an equally critical aspect that could end up doing more harm than good if left unchecked. Poor DNS hygiene opens the door to all kinds of abuse that can wreak havoc on the security of your organization and its stakeholders.

What are subdomains and why do they matter?

A subdomain is an appendix to your root website domain – support.companydomainname.com. They are set up for a variety of reasons: to host a separate blog or careers site, create a website testing environment or a different entity to an organisation’s main digital presence – i.e. a fan ‘shop’ for a football team website.

How can hackers exploit subdomains and why do they do it?

By stealing session cookies or source code, bad actors try to gain unauthorised access to a legitimate subdomain to tamper with the resource or replace it with a fake site. They can then trick unsuspecting users into visiting it, steal their cookies, and phish credentials, causing financial and reputational damage to a company,

How can companies protect themselves from subdomain takeover?

Subdomain management and visibility
Start by implementing SSL certification across all domains, not just the main one. Surprisingly, this standard procedure is not always implemented.

The next thing to do is to clear up unused or now-defunct DNS entries. Building a comprehensive library of subdomains and functions similar to what is often contained in a “brand book” helps keep tabs on what are legitimate subdomains and their uses.

Web Application Protection

Having all the subdomains protected through a Web Application Firewall (WAF) and bot management solution helps keep an eye on the movement of bad actors and the way they are attempting to gain access. Website subdomains have different purposes, and quite often, different hosting companies oversee them. That means that the way the WAF or bot management systems are administered may vary, causing problems for the IT manager in charge of managing them.
Think of it like getting into a strange car – you know that there are windscreen wipers but how they are controlled is likely to vary. Ensuring all subdomains are protected through a single protection scheme, i.e., a unified web application and an API protection (WAAP) solution with integrated WAF and bot management in one platform and interface, makes it easier to observe and ensure mitigation of threats across all subdomains.

DNS Monitoring
Having a common place where DNS is administered for the entire top-level domain makes it easier to look for vulnerabilities and monitor changes. Monitoring for new entries and changes to existing entries can be a great step to check bad actors.

Regular auditing
Using an established auditing tool is a vital part of website hygiene. It will expose all the subdomains and the level of protection in place. Beware also that these tools are often also used by bad actors to provide an indication as to what vectors of attack might be most successful.

A strong cybersecurity posture starts with securing every corner of your digital presence, including your subdomains. Finding vulnerable domains within a system is not a straightforward task but by putting in some simple routines, brands can better protect their assets and their reputation in the long term.

The Edgio Applications platform provides full application and API protection, including both management and DDoS protection combined with website acceleration tools, all managed through a single pane of glass.

If you’d like a comprehensive audit of your subdomains, sign up for a security audit or speak to one of our experts.

Supporting content

• https://hackernoon.com/how-hackers-attack-subdomains-and-how-to-protect-them-rc7j37f2
• https://informer.io/resources/subdomain-takeover
• https://www.theregister.com/2021/06/30/subdomain_vulnerabiilties/